How to setup Samsung Knox Mobile Enrollment with Microsoft Intune

Samsung Knox Mobile Enrollment (KME) is a Zero Touch provisioning solution. You can fully automate the enrollment of new, or factory reset devices into an MDM solution like Microsoft Intune. The end user only have to turn on their company-owned Android device and connect to a Wi-Fi or cellular network. This will start the enrollment which the end user cannot cancel or work around.

Compared to Google’s Android Zero Touch solution, this service is only available for Samsung devices. A big advantage compared to Android Zero Touch is that it is easy to add already purchased devices (even if not purchased by an approved reseller) via the Knox Deployment App.

Prerequisites

Before you start with Samsung Knox Mobile Enrollment with Microsoft Intune make sure you have the following in place;

• A Microsoft Intune environment up-and-running with at least one Corporate-owned enrollment profile enabled (dedicated devices, fully managed user devices or corporate-owned devices with work profile)
• Make sure that you are using Samsung devices with Knox 2.8 or higher
• Configure your firewall with these Firewall Exceptions

In this blog

In this blog post I will cover the following steps.

• Create a Samsung Knox Account
• Activate Knox Mobile Enrollment
• Create an MDM profile
• Adding devices and assign the MDM profile
• Test the result / user experience

Step 1 : Create a Samsung Knox Account

Open a browser and navigate to https://www2.samsungknox.com/en/user/register

Fill in your business email address and click Next

Click Agree

Fill in the requested information and click Next

Verify your mail address and click Next

Click Done

Configure two-step verification or click Not now

Click Next

Fill in the requested information and click Next

Click Submit

Step 2 : Activate Knox Mobile Enrollment

After creating your Samsung account, you will be redirected to the Samsung Knox portal. If not, navigate to the following URL : https://central.samsungknox.com/

On the Solutions page click Knox Mobile Enrollment – Try for free (it is a free service).

Select I have read and agree to the Samsung Knox Mobile Enrollment Terms and Conditions (if you do) and click Accept

In most cases your request will have the status PENDING for one or a few hours. Once activated you can click Launch 

Step 3 : Create an MDM profile

If this is the first time you login you will see the message below.

Click Get Started

Open the MDM Profiles page and click Create Profile

Select Android Enterprise

Give this MDM Profile a Profile Name and a Description (optional). Select Let MDM choose to enroll as a Device Owner or Profile Owner (changed since Android 11) and select Microsoft Intune as your MDM solution.

Fill in the following MDM Agent APK : https://aka.ms/intune_kme_deviceowner

Leave everything else default and click Continue

Open a New browser tab and navigate to the Microsoft Endpoint Manager admin center. Open your corporate-owned device enrollment profile and copy the Token (see screenshot above)

Go back to the Samsung Knox admin portal. Fill in the following Custom JSON Data :

{"com.google.android.apps.work.clouddpc.EXTRA_ENROLLMENT_TOKEN": "your Intune MDM Profile token code"}

Replace “your Intune MDM Profile token code” with your TOKEN copied in previous step

Fill in your Company Name and leave everything else default.

Click Create

Step 4 : Adding devices and assign the MDM profile

There are two ways for adding new or already purchased Samsung devices.

Via approved reseller

You can connect your Knox Enrollment environment with a Samsung approved reseller by Exchange IDs. Once the connection is made, the reseller can add new devices automatically to your Knox Enrollment environment. You can also submit a request to add already purchased devices. This is the most easy way for adding devices.

Via Knox Deployment App from Google Play Store

If you did not purchased your devices via an approved reseller you can add devices manually. To do so, install the Knox Deployment App from the Google Play Store on an “admin” device (not on the device you want to add to Knox Mobile Enrollment). Login with your Samsung account, select the MDM Profile you want to assign to the new devices and select the way the devices needs to connect to this phone. Options are NFS, Bluetooth or Wi-Fi Direct (only for devices running Knox 3.2 or higher).  When using Bluetooth, connect the device you want to add with the “admin” device, open a browser and navigate to: https://me.samsungknox.com/. When using NFS, holding the “admin” device back-to-back with an NFC enabled device you want to add. When using Wi-Fi Direct connect the device you want to add with the Wi-Fi direct network from the “admin” device and follow the onscreen instructions on the “admin” device.

Once the device is added to the Knox Mobile Enrollment environment you can assign an MDM profile to it. Open the Devices page and select the device(s). Click on the Actions button and select Configure devices

Select the MDM Profile you want to assign to this/these device(s) and click Save

Step 5 : Test the result / user experience

Now that the device is added to the Knox Mobile Enrollment environment and the MDM Profile is assigned, we can test the result / see the user experience. The device is factory reset as you can see below.

Click on the arrow

Select End User License Agreement and click Next

Click OK

The Knox Enrollment Service gets an update (in my case)

Press Accept & continue

Press Next

Press Accept & continue

Sign in with your work account

Press Start

Set a PIN

Configure your Notifications and press Done

Press Install

Press Next

Press Start

Press Sign in

Enter your password and press Sign in

Press Register

Press Next

Press Done

Press Done